I've been using LastPass for a few years now, and something bothers me. I have a nice, secure master password - but if someone gets that, all of my passwords are fair game.

I can partially mitigate this by using Two Factor Authentication (2FA) everywhere that I can. But what I'd really love is a "layered" password manager - one with multiple master passwords. Get in the first layer, you see all of my unimportant accounts. Second layer, the things that I care about a bit. Third layer, things that affect me financially.

That way I'd know 3 passwords, and my most important accounts would be relatively safe.

What you need isn't a "layered/tiered" system, but crytographic salts. Salts are something added to a password to change from a generic/reused password to a unique one. The most common example is when having passwords for multiple users, the "right" way is to include a salt. You store the salt next to the password, you append the salt to the password, then hash the result. This forces attackers who have stolen the password file to run the "guess the password" attack one time for each user instead of once for everybody and then match up passwords.

What you want is to store your password list locally (the salt has to be at least somewhat secret as well) with a salt (a random number with at least 100 bits of randomness) for each site. Should an attacker find your password for a site, all they would know is the hash of the (master password + guessable site text [optional] + salt). Since there are nearly an infinite combination of salts, this gives an attacker no clue as to what your master password is.

Obviously, this assumes that nobody pulls your password file from your computer, but you still would have the master password to protect you. If hackers sophisticated enough to break your master password are pulling things directly off your computer, you have bigger problems than a few internet accounts being compromised.

Best guess: google a few password managers that store the data locally, and make sure nobody whines about "not using salts" or other "snake oil" failures. I'd expect the top few to at least not have any obvious failures.

my code from http://forums.xkcd.com/viewtopic.php?f=12&t=88888. I completely forgot about the need for the salt (listed as seed in the code) when I first started using it. It is a bit cumbersome, as I typically have to load it up and edit it manually, and have to type "import random" and "random.random()" to get a seed for it. [note that random.random() is highly cryptographically naughty. I really should be using cryptographically secure random number generators. Since I rarely add accounts more than once a day (or even once a week), I feel that I am in far greater danger of having my file stolen (complete with master key, a really bad idea)]. I'd suggest modifying this to take the master key as an input if you want to use this (or better yet, just use a "real" password manager).

For proper layering/tiering I would suggest unique passwords for anything you don't want an attacker who can pull your password manager to have. Unfortunately, the ones I'd like to secure the most are the ones least likely to allow "correct horse battery staple" type passwords. Also I have had to manually add salts until I *removed* enough randomness to pass the "only 'passWORD123!!!' meets the proper uppercase/lowercase/numerics/symbol requirements. Please use that as your password" requirements... Again, a "proper" password manager should include this.

for i in pages: j=i if j[-1]=="/":j=j[:-1] # this appears to be obsolete, #from when I was planning to cut and paste sitenames print binascii.b2a_base64(hashlib.sha256(j+"***master password***").digest())[:10],j

Lastpass doesn't store passwords in the cloud, it stores an encrypted password directory in the cloud. The decryption of this directory happens locally.

Given that the directory is AES256 encrypted, I think this is a reasonable trade off to be able to share your password directory across multiple devices. Of course, if you only use Lastpass on one device, you're better off using a local password manager, e.g. one built in to your desktop environment.

I've been using LastPass for a few years now, and something bothers me. I have a nice, secure master password - but if someone gets that, all of my passwords are fair game.

I can partially mitigate this by using Two Factor Authentication (2FA) everywhere that I can. But what I'd really love is a "layered" password manager - one with multiple master passwords. Get in the first layer, you see all of my unimportant accounts. Second layer, the things that I care about a bit. Third layer, things that affect me financially.

That way I'd know 3 passwords, and my most important accounts would be relatively safe.

Any thoughts? Suggestions? Is there anything that does this yet?

If you're worried about cracking, doing this is much less effective than just memorizing a triple-length password and using it for everything. (Where "much less" is probably "roughly infinitely less" in practice, given appropriate "normal" length passwords.)

If you're worried about keylogging, the layers are mostly irrelevant - it's very likely you'll get into the second or third layer semi-regularly, at which point the logger has it. At best this delays things a little bit.

As long as you're not storing your master password anywhere but your head, you're fine. Don't worry about it.

Zorlin wrote:I've been using LastPass for a few years now, and something bothers me. I have a nice, secure master password - but if someone gets that, all of my passwords are fair game.

Ok, after reading this post, I feel a little embarrassed I had to google password manager and "LastPass" and just realized that I have been using the simplest of passwords for a variety of different sites and even the exact same one for plenty! I believe I've been fortunate so far and never hacked, but articles I found on the net that mentions tools and methods that easily crack passwords has gotten me concerned.

I followed the tips but realized quickly how difficult it will be to remember more or less any of them so they suggest to use a password manager like LastPass to somehow manage all of these different password varieties. It says to only use a "master password" for trustworthy websites and talk about disposable one-time passwords for less secure sites like forums. What do they mean here? Should I not include forums in my password manager? Is this because a hacker can get access to the master password when interacting on less secure sites like forums?

Xanthir wrote:If you're worried about keylogging, the layers are mostly irrelevant - it's very likely you'll get into the second or third layer semi-regularly, at which point the logger has it. At best this delays things a little bit.

As long as you're not storing your master password anywhere but your head, you're fine. Don't worry about it.

Hi Xanthir. Sorry for being a bit of a noob, but will a keylogger be able to retrieve my master password and consequently get access to all the sites that are registered on the password manager? Is there no form of security or encryption involved to stop it? Like the OP, I am a little worried about how just one password (master password) for everthing is a safe method.

I just realized how far behind I am with this knowledge, so have to get both updated and secured ASAP! Any help is appreciated.

Here's how I use my LastPass account:1. I pay the $12 a year to get Premium - this allows me to use it on all of my devices & through the web, and allows multifactor authentication. You can try premium service for free for two weeks.2. I use it to manage pretty much all of my passwords, and make them as complex as websites allow (32 characters-long with all special characters is probably overkill, but it's easy enough to do), and different for every website.3. I have multi-factor authentication turned on. This means that, in order to log in, I need my master password, in addition to a code I get on my mobile app that keeps changing every minute. Having a keylogger wouldn't help if they can't authenticate they have access to my phone.4. My master password is very long and pretty secure (it's in the 40-50 character range). It's easy for me to remember, too.

At home my computer knows the password manager and fills out passwords automatically. If I want to do any significant changes, I have to put in my password and (sometimes) authenticate - you can control how often it asks you to put in the master password.On my phone I have it set up with my mobile app - I trust the fingerprint reader on my Nexus 5X, but others might not.At work or random computers I just put in my password and authentication code.

The only thing I feel is missing is actually having an alternate e-mail address I can use in case I lose access to LastPass and need to reset my Google account password. I... should get on that. I'll probably open an account at a different company (Yahoo or whatever), and use a long (memorable) master password for it - my Google password is in Last Pass.

Zohar wrote:At home my computer knows the password manager and fills out passwords automatically. If I want to do any significant changes, I have to put in my password and (sometimes) authenticate - you can control how often it asks you to put in the master password.On my phone I have it set up with my mobile app - I trust the fingerprint reader on my Nexus 5X, but others might not.At work or random computers I just put in my password and authentication code.

Hi again Zohar. Thanks for coming to the rescue as you have done before Very good overview of how the password manager works.I still did not understand fully. Which type of password are you using at work or on a random computer? Are you using your Master Password and authentication code on whichever computer you are using, and through that, you get access to a database in the cloud that has all of your stored passwords? Will it automatically fill in the correct password for all the specific sites that you wish to access, similarly to at your computer at home?

Should I manually create complex passwords for each site and enter it into the password manager or should these passwords be randomly created by a generator?

I have one long master password for LastPass. Let's say it's "This is my long password!". On my personal computer, I have the LastPass add-on installed - I use it to automatically generate secure random passwords when I register to stuff, and it auto-fills them. If I'm at a different computer, I go to lastpass.com and log in with my long password ("This is my long password!"), and put in the authenticator code from my mobile app - for this you need the premium service. Then I get to a screen with all my saved passwords, search for whatever password I need, copy and paste it to the website I need to use it in. If I need to register for something new, I can also use the password generator from the website (or just go here). The passwords won't be automatically filled in unless I install the add-on. And you only need to create one strong password, everything else should be randomly generated by the password manager's generator.

It sounds cumbersome, and it took a little bit of getting used to, but I definitely feel a lot more secure - all my passwords to all of my websites are very strong, and all different from each other. And the password manager's password is strong and memorable, and even if someone steals that somehow they can't access it without also having access to my phone.

Snarlock wrote:I followed the tips but realized quickly how difficult it will be to remember more or less any of them so they suggest to use a password manager like LastPass to somehow manage all of these different password varieties. It says to only use a "master password" for trustworthy websites and talk about disposable one-time passwords for less secure sites like forums. What do they mean here? Should I not include forums in my password manager? Is this because a hacker can get access to the master password when interacting on less secure sites like forums?

You're misreading - that sort of advice (use a strong password for "trustworthy" sites, use lots of disposable ones for less important sites) is for people *not* using a password manager, and still trying to rely on their brain to manage passwords. That's a terrible idea, your brain is bad at that, don't do it. (But hey, it's at least better than using a single weak password for everything.)

If you're using a password manager, then you memorize a single strong password for it, and then generate long impossible-to-remember passwords for literally everything else.

Xanthir wrote:If you're worried about keylogging, the layers are mostly irrelevant - it's very likely you'll get into the second or third layer semi-regularly, at which point the logger has it. At best this delays things a little bit.

As long as you're not storing your master password anywhere but your head, you're fine. Don't worry about it.

Hi Xanthir. Sorry for being a bit of a noob, but will a keylogger be able to retrieve my master password and consequently get access to all the sites that are registered on the password manager? Is there no form of security or encryption involved to stop it? Like the OP, I am a little worried about how just one password (master password) for everthing is a safe method.

Keyloggers log keys. All the keys. It's not hard to do so, and there's really nothing a program can do to protect themselves; if a keylogger is capable of installing itself you're pwned anyway. Don't download rando programs.

Luckily, most attack software isn't interested in your passwords; mostly it'll just enslave you into a botnet or encrypt everything and deliver a ransom note. The rare cases when they are fishing for passwords, they can harvest plenty just by looking for typing on important websites, as most people just memorize their passwords. Your password manager is safe just by virtue of it being too much effort to be worth cracking when there's so much low-hanging fruit around. But still, don't download rando programs.

Zohar wrote:...Then I get to a screen with all my saved passwords, search for whatever password I need, copy and paste it to the website I need to use it in.

Zohar wrote:The passwords won't be automatically filled in unless I install the add-on. And you only need to create one strong password, everything else should be randomly generated by the password manager's generator.

Zohar wrote:And the password manager's password is strong and memorable, and even if someone steals that somehow they can't access it without also having access to my phone.

Thank you Zohar. I now clearly understand how a password manager works in practice. I will most certainly pay for a premium service as well because I like the idea of the multifactor authentication through SMS. If you were travelling overseas and had to stop at an internet cafe, would you still log onto the password manager's website? The extra authentication makes it viable but I wonder, would people be able to physically see the passwords that are listed or are they encrypted but still lets you copy and paste?

Since you said you remember your Master Password without problem, did you create your own password system for it? I would assume that the Master Password needs to be long, yet manually set so that you will be able to recall it whenever you are away from home.One of the tips from the digital guide that I found interesting was to practise password memorization by setting the combination as the login password on your PC. This way you will be asked to enter it whenever you get back to your computer after a break

Xanthir wrote:Keyloggers log keys. All the keys. It's not hard to do so, and there's really nothing a program can do to protect themselves; if a keylogger is capable of installing itself you're pwned anyway. Don't download rando programs.

Luckily, most attack software isn't interested in your passwords; mostly it'll just enslave you into a botnet or encrypt everything and deliver a ransom note.

I see! Thanks for clearing that up. I wondered about this for quite a while.

Remember that Security is not just "don't let the wrong person get your important stuff" but also "don't youself lose your important stuff".

I've dropped out of more online things than I care to know about (some important, some not1...) because I lost my own access, and others have been on the edge.

Back in university, more than 20 years ago, I came back after one summer break to realise I'd forgotten my password the system had asked my to periodically reset just before I'd left, but all that took was a trip to the Data Centre with my Id2. But I have at least three casual Gmail accounts that I can no longer use because I left them unused for too long, and no easy way to get back in because whatever authentication methods I used (mobile number, a yahoo mail account, an email account on a private domain I gave up management of...) are themselves defunct. I am doubtless using (unimportant) things right now with expired methods of pasword reset (including android accounts of tablets that suddenly stopped working or were stolen, and replaced without imagining I needed a continuation of account) and despite my past experiences of these things I'm entirely too vulnerable to these things. With any luck nothing actually vital, and I most definitely find that loss of personal access is a lesser problem than somebody else gaining access, thus I take the total disconnection risk as a 'benefit' against being impersonated by keeping my accounts too trivially unlocked.

Which is a long-winded way of saying that whatever PM system you use, in this modern multi-device world, don't forget that you can so easily grandfather out all your initially-planned recovery avenues, never mind being at the whim of the loss of master-authentication service. Keep an eye on it. Imagine that your provider ceases to exist. I don't think Verisign still certificate, for example, although that's a slightly different issue. But if/when discontinued (and/or maliciously subverted to render them useless) how do you now (re)gain access to your rightful resources.

I don't use Paypal (although apparently I need to reauthenticate my non-existent account, via this random Bulgarian web-site) nor even use an online bank-account of a clicks'n'mortar origin (so even when my actual bank emails me, by way of web.ihavebeenhacked.com/www/mybankname, I happily ignore that) so I'm not personally liable for great discomfort.

What I have done, to manage my passwords to inconsequential resources, is have two post-it notes with scrawled clues to the more important site/username/password (in a non-obvious way of my own devising), one to carry with me for handy reference, the other safe at home. The carried one when lost (to no effective consequence) or sufficiently damaged is recreated from the home copy. I even considered a RAID5 system of three XOR-ishly relatable/recreatable copies at one point. I now use a different manual system, that I won't reveal only because of generic paranoia.

This does not secure me against keylogging/MITMing over unsecured and unsecurable systems, of course. Password managers that tap (presumably straight) into the SSL/https system of encrypted authentication would be more useful, but then I (think I) practice Safe Hex and know something of what devices I use, and as I keep practically all my (often unimportant) online lives seperate and subtly disconnected from my Real Life™, I can stand the potential to lose 'everything' (mostly just any locally-aquired reputation, no great loss) from each individual problem (either disconnect or theft) with each individual locale. And have done. (By disconnect, only, in all such cases that I can actively recall.)

Perhaps, though, you can use all your fancy Password Management features, but make such an 'encoded' note of your 40 character 'random' cross-character-type passwords (necessarily generated in a way that you can see what they are!), on spare bits of paper that you then keep safe, and backed up, even giving a copy to your parents, a colleague or even your ex... I won't suggest exact methods of doing this, but a trivially memorised constant (or mnemonically clued-in variable, in each line) transformation and steganograhical 'packing' would be (and has been) my starting point. Done not just for password, but for username/site (or encoded abstract clue, like "xkf ss" as a woefully weak but demonstrable version for my account here, after which would appears the sixty-character manual obscuration giving only you the exact forty-character password). As a backup, of course. And always remember to refresh and update this (burn the original) when necessary.

TL;DR;... umm, sorry, that's far too long.

1 I have a number of early Urban Dead characters long 'dead', unless I have inspiration of not only what their passwords are are, but also their respective names, thanks to the home/workplace hardware I played them on not being available to me for many a year.

2 And, ironically, I not only immediately remembered the now-reset (and barred from re-use!) password, but I still remember it to this day. More than I remember its successor, definitely.

Snarlock wrote:If you were travelling overseas and had to stop at an internet cafe, would you still log onto the password manager's website?

Yes, although I wouldn't set up my authentication method as SMS, I would use an app. For SMS, I need to have my SIM card installed and working. On the other hand, you can use the Google Authenticator app, which runs even without internet access, and generates those numbers for you.

The extra authentication makes it viable but I wonder, would people be able to physically see the passwords that are listed or are they encrypted but still lets you copy and paste?

Generally yes, I have to click on whatever service I want to copy the password of, click the "show password" button, then copy that. During that time, the password is visible. But since it's usually something like this: aEU9nG@p7e*iYVM21PJ*bJc4OpQ%bne3 I don't worry too much anyone will see it.

Since you said you remember your Master Password without problem, did you create your own password system for it?

I use a relatively easy-to-remember phrase for me. You should find what's easiest for you. This is a good method, though I would suggest you use a longer combination of words. And practicing it often at first is a good idea.

Soupspoon wrote:Remember that Security is not just "don't let the wrong person get your important stuff" but also "don't youself lose your important stuff".

Which is a long-winded way of saying that whatever PM system you use, in this modern multi-device world, don't forget that you can so easily grandfather out all your initially-planned recovery avenues, never mind being at the whim of the loss of master-authentication service. Keep an eye on it. Imagine that your provider ceases to exist. I don't think Verisign still certificate, for example, although that's a slightly different issue. But if/when discontinued (and/or maliciously subverted to render them useless) how do you now (re)gain access to your rightful resources.

Hi Soupspoon. That was a very long reply but it opened my eyes for sure. I can surely see the problem with losing access further down the line, and your debate about the possibility of a password manager service provider going bankrupt got me thinking about how it is owning digital software like videogames. At any point in time, the possibility to use the games you pay for may cease to exist. Even though you rightfully own the games, they still somehow behave like rental only, and worst case scenario, be not be available for re-download when the provider decides to pull the plug.

Zohar wrote:Generally yes, I have to click on whatever service I want to copy the password of, click the "show password" button, then copy that. During that time, the password is visible. But since it's usually something like this: aEU9nG@p7e*iYVM21PJ*bJc4OpQ%bne3 I don't worry too much anyone will see it.

Ah, that makes sense! Yeah, as long as the password is randomly generated, I guess it would not matter as long as nobody took a picture of your screen. But still, only risky if used for important sites. Besides, I assume that important sites have an additionl security measure, similarly to the secondary authentication method with LastPass

Zohar wrote:Yes, although I wouldn't set up my authentication method as SMS, I would use an app. For SMS, I need to have my SIM card installed and working. On the other hand, you can use the Google Authenticator app, which runs even without internet access, and generates those numbers for you.

Right, because if you are overseas, you might not be able to use your simcard? But your phone together with another sim card or WiFi connection will let your app still work?

For Google Authenticator (and other TOTP apps), it doesn't need any Internet connection to work... as long as you connect to it for long enough for it to sync the clock on your phone every now and again (because if the clock on your phone is out by more than a minute or so, depending on what you're logging into, it won't work).